Let’s look at how to use fail2ban with postfix and dovecot in more detail. At Bobcares, we can give you a complete guide on how to do it with our Server Management service.

Fail2ban

It is an effective tool that searches log files and bans IPs that exhibit malicious behavior such as too many password failures, looking for vulnerabilities, and so on. It can update firewall rules to refuse the IP addresses for a set period of time.

Postfix and dovecot

It is an open-source mail transfer agent (MTA), which is a service for sending and receiving emails. Dovecot is an IMAP/POP3 server that will also handle local delivery and user authentication in our configuration. <divstyle=”height: 20px;”>

Fail2ban Configuration for dovecot (POP/IMAP) and postfix (SMTP):

The example given below utilizes the logs security events to /var/log/secure and mail related events to /var/log/maillog. For Fail2ban; Dovecot for POP3/IMAP and postfix for SMTP are the Daemons in this example. Assuming fail2ban is setup and operational, so iptables.

Firslty, set up and add jail.conf to /etc/fail2ban/jail.conf.

[sasl-iptables] enabled = true
filter = sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=admin@ourdomain.com]
logpath = /var/log/maillog
bantime = 36000
maxretry = 2

[dovecot-secure]

enabled = true
filter = dovecot-secure
action = iptables-multiport[name=dovecot, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Dovecot-Secure, dest=admin@ourdomain.com] logpath = /var/log/secure
maxretry = 2
findtime = 600
bantime = 36000
ignoreip = 192.168.0.0/16 127.0.0.1

[dovecot-maillog]

enabled = true

 filter = dovecot-maillog 

action = iptables-multiport[name=dovecot-maillog, port="smtp,pop3,imap", protocol=tcp] sendmail-

whois[name=Dovecot-Maillog, 

dest=admin@ourdomain.com] 

logpath = /var/log/maillog 

maxretry = 2 

findtime = 600

 bantime = 36000

 ignoreip = 192.168.0.0/16 127.0.0.1

To configure up the Fail2ban postfix:

enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port="smtp,pop3,imap", protocol=tcp] sendmail-whois[name=Postfix, dest=admin@ourdomain.com]
logpath = /var/log/maillog
maxretry = 2
findtime = 600
bantime = 36000
ignoreip = 192.168.0.0/16 127.0.0.1

After that, configure up the filter rule files in the faliban2 filter directory ‘/etc/fail2ban/filter.d directory’ for working with postfix and dovecot.

dovecot-maillog.conf.

Use: /usr/bin/fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/dovecot.conf, to set this up.

failregex = (?: Authentication failure|Aborted login|Disconnected).rip=(?:::f{4,6}:)?(?P\S),. ignoreregex = (?: Disconnected: Logged out).
failregex = pam.dovecot.(?:authentication failure).rhost=(?:::f{4,6}:)?(?P\S)

dovecot-secure.conf

To cofigure use: /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf

failregex = (?: authentication failure).rhost=(?:::f{4,6}:)?(?P\S) failregex = pam.dovecot.(?:authentication failure).rhost=(?:::f{4,6}:)?(?P\S)

ignoreregex = dovecot-sasl.conf

failregex: regex to match the password failures messages in the logfile. The host must match a group under the name “host”. The tag “” can be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) Values: TEXT

failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) 

authentication failed(: [A-Za-z0-9+/={0,2})?$ failregex = \[\]: 

SASL login authentication failed failregex = \[\]: 

SASL PLAIN authentication failed: authentication failure failregex = \[\]: SASL LOGIN authentication failed: authentication failure

[Definition]

Option: failregex: Use a regex to match the password failure messages in the log file. After that, a “host” group must match the host. Use the tag “HOST>” for standard IP/hostname matching and is an alias for # (?:::f4,6:)? (?P[\w\-.^ ]+) Values: TEXT.

failregex = reject: RCPT from (.)\[\]: 554 failregex = reject: RCPT from (.)\[\]: 550 5.1.1 reject: RCPT from (.)\[\]: 554 5.7.1

Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

Disable Postfix and Dovecot

To disable the postfix and dovecot authentication after three failed attempts, add the following to /etc/fail2ban/jail.local:

[dovecot]
enabled = true
port = pop3,pop3s,imap,imaps
filter = dovecot
logpath = /var/log/mail.log
maxretry = 3

 [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
maxretry = 3

Now for the final step of fail2ban postfix dovecot; Fail2ban does not come with a Dovecot configuration, therefore generate /etc/fail2ban/filter.d/dovecot.conf:

[Definition] failregex = (?: pop3-login|imap-login): .(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).rip=(?P\S),. ignoreregex =

# /etc/init.d/fail2ban restart

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude, it is easy to set up fail2ban postfix dovecot. And, Fail2ban acts as an effective tool for managing and overviewing a wide range of malicious activities including vulnerability detection for ensuring maximum security.